AUD444: Auditing Security and Controls of Active Directory and Windows

Auditors need to be able to understand how Active Directory operates and the key business risks that are present. This course was written to teach auditors how to identify and assess those business risks. Active Directory and Windows systems are typically well known and utilized within organizational infrastructures. However, they can be difficult to audit since there are a large number of settings on the end system. This course provides the tools and techniques to effectively conduct an Active Directory and Windows audit, and while doing so identify key business process controls that may be missing. Students have the opportunity to look at the business process controls and then how those can be verified by looking at Active Directory and the Windows systems that exist. Plus, students are taught how to add additional value to their audits by being able to identify the technology risks that may have been overlooked. The hands-on exercises reinforce the topics discussed in order to give students the opportunity to conduct an audit on their own Windows systems, as well as understand the different security options that Windows provides.

Course Syllabus

AUD444.1: Day 1

Overview

In order to properly audit Active Directory, auditors have to have an understanding of the Active Directory architecture and the role AD plays for an organization. These foundations are more are covered in provide a solid foundation to build rom throughout the course.

CPE/CMU Credits: 6

Topics

Windows Foundational Concepts

Workgroups versus Domains

Common protocols

Querying registry data

Active Directory Concepts

Conducting an inventory of systems

Active Directory Design and Topology

Scoping considerations for an Active Directory and Windows Audit

Active Directory Responsibilities

Auditing the authentication process

Trusts

Domain Controllers Audit Steps

Active Directory Audit Steps

Group Policy

GPO application

Organizational Units

Global Catalog Best Practices Audit Steps

Schema Master Audit Steps

Operation Master Audit Steps

RODC

Domains and Forests

Delegation of Authority

Tools designed to query data from AD such as csvde, dsquery and more

Physical, Environment and Availability Controls

Facility controls

Data center controls

Physical Security Audit Steps for DCs

Fault Tolerance Audit Steps

Cabling Physical Security Controls

Backup controls

AUD444.2: Day 2

Overview

During this day we will add to the foundational concepts we covered in the first day and get in to a number of the technical details for auditing including access controls, change and patch management, encryption and vulnerability management. We also discuss key services such as DNS, IIS, SQL Server and RDS.

CPE/CMU Credits: 6

Topics

Network controls

Ports, Services and Protocol Stacks

IPv6 considerations

Network Segmentation Audit Steps

IDS and IPS considerations

Network Access Protection

Wireless best practices for Windows

Application controls

Controlling Software

Software Restriction Policies

AppLocker or Application Control Policies

Auditor Service Tips

DNS Audit Steps for AD

IE Security considerations

Remote Desktop Services

Change Control, Patching & Vulnerabilities

Managing and Auditing for IT vulnerabilities

Configuration Controls

Change Management

Patch Management

Vulnerability Management Audit Steps

Signs of Poor Vulnerability Management Processes

MBSA

Nmap Scripting Engine

Microsoft Support Lifecycle

Access Controls

Job Roles and Responsibilities

SOD Considerations

User Management Controls

Required Policies/Processes for Users and Groups

Account Recommendations for Administrators

Permissions

Ownership

Mandatory Integrity Control

User Account Control

High Risk Groups and Users

User, accounts and group management

Anti-virus and Malware Controls

Password Controls

Using tools to extract audit data for users and groups

Password Cracking and Audits

Authentication Alternatives

Kerberos and NTLM

Governance Controls

AUD444.3: Day 3

Overview

The final day of the course covers the last steps to include in an Active Directory and Windows effective audit program. Topics such as enabling successful auditing on the system, reviewing privileges, availability considerations, application control and service auditing are discussed.

CPE/CMU Credits: 6

Topics

Access Controls

Encryption Controls

Cryptography

Encrypting File System (EFS)

BitLocker

Hard Drive Encryption

Syskey

IPSec Best Practices

Shares

Identifying Changes

File Integrity Controls

Security Options and which ones are important to auditors

Security Option Audit Recommendations

Privileges

Categorizing Privileges according to risk

High Risk Right Recommendations

Audit Recommendations for Remaining Rights

Logging and Monitoring

Logging on the end system

Windows Logs

Centralized Logging

Signs of an Intrusion

Key Audit Event IDs

Logging for Availability Considerations

Recommended Logging Controls

Logging for Domain Controllers

Continuous Auditing

System Configuration, Continuous Auditing & Tools

System configuration audit checklist items

Using wmic for audit purposes

Security Configuration and Analysis

Using templates for auditing

Administrative Templates GPOs

Additional Information

Laptop Required

Students need to bring a laptop computer with an Ethernet network card and a CD-ROM drive. Students should use Windows 7 professional or later, and need to have Administrative access, including the capability to disable security features such as anti-virus software. Home or similar editions will not have the features needed. Students will also need to install RSAT before class as the dsquery and csvde tools are needed for class. You can find the instructions for installation here.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Internal Auditors

IT Specialist Auditors

IT Auditors

IT Audit Managers

Information System Auditors

Information Technology Auditors

Information Security Officers

Other Courses People Have Taken

Other Courses People Have Taken

Any of the other audit courses.

What You Will Receive

The course CD includes audit scripts and tools that will assist in conducting an Active Directory and Windows audit.

Author Statement

As an auditor, Active Directory is one of the key systems that I audit regularly. Many other organizational systems rely on Active Directory and the security settings and controls it enforces to properly mitigate the risks to those systems. Therefore, auditors need an indepth understanding of Active Directory and the controls it provides. During this course, we give the student the knowledge and tools to audit Active Directory and Windows, and be able to identify key business and process risks. Plus, we also provide the student will information to add additional value to organizations by being able to understand and make recommendations as it relates to these risks.. -Tanya Baccam